MEDIUM

GHSA-p93v-m2r2-4387

Denial of service via insufficient metadata validation

Details

The PAM module for `fscrypt` through v0.3.2 doesn't adequately validate `fscrypt` metadata files, allowing users to create malicious metadata files that prevent other users from logging in. A local user can cause a denial of service by creating a `fscrypt` metadata file that prevents other users from logging into the system. We recommend upgrading to v0.3.3 or above.

For more details, see [CVE-2022-25327](https://www.cve.org/CVERecord?id=CVE-2022-25327).

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/google/fscrypt

Introduced in: 0 Fixed in: 0.3.3

Fix go get github.com/google/fscrypt@v0.3.3

References

https://github.com/google/fscrypt/security/advisories/GHSA-p93v-m2r2-4387 [WEB]
https://github.com/google/fscrypt/commit/91aa3ebf42032ca783c41f9ec25d885875f66ddb [WEB]
https://pkg.go.dev/vuln/GO-2022-0340 [WEB]
github.com/google/fscrypt [PACKAGE]